Resources

RANSOMWARE

What is Ransomware?

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.

8 of the Scariest Ransomware Statistics

Ransomware: One of the fastest growing threats

In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.

Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.

Have strong passwords, and don’t use the same passwords for everything.

Use a pop-up blocker.

Only download software—especially free software—from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars).

Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organization’s website directly.

Use the same precautions on your mobile phone as you would on your computer when using the Internet.

To prevent the loss of essential files due to a ransomware infection, it’s recommended that individuals and businesses always conduct regular system back-ups and store the backed-up data offline.

What to Do if You become a Victim of Ransomware

Disconnect the Computer from the Network Once you suspect a computer might have ransomware on it the first thing you need to to do is take it offline. Pull the ethernet cord, shut off the Wi-Fi and shut off the computer. Some ransomware can spread via network connection, the sooner you disconnect any potentially infected computers the better your chances are of containing the breach.

Disable Shared Drives A growing number of ransomware varieties, such as CryptoFortress and Locky, will encrypt network and shared drives connected to the infected computer. If you think you may have a ransomware infection it’s a good idea to take all of your shared drives offline temporarily until you’ve cleaned out your network.

Update and Run your Security Software Check for and install any available updates on your security software and run a scan on all of the devices on your network. Ransomware changes pretty rapidly so make sure you have the most current version of your antivirus and anti-malware endpoint protection installed on computers throughout your network.

Restore from Backup (if possible) The best way to fix your computer without paying the ransom is to restore it from your backup.

Introduction - After the very public Petya-Like attack that occurred in June, a new and remarkably similar ransomware has been observed spreading in the wild throughout Russia, Ukraine, and several other countries. Bad Rabbit, as it is known, was initially spread via drive-by downloads, but also contains the ability to propagate via SMB, as well as encrypting files and preventing an infected system from booting properly.

Impact - Bad Rabbit is a nasty ransomware in that it not only modifies files, but also the underlying filesystem and master boot record (MBR). It will harvest credentials using Mimikatz and attempt brute-force logins to propagate using SMB. Once it is active within an organization it will typically spread successfully and rapidly, rendering the system completely inoperable in the process.

In the U.S., "the list of victims is very small," a Department of Homeland Security official tells NPR, noting that it's still relatively early in the WannaCry attack. The victims, the official says, range widely in scope, from a few computers at companies and organizations to networks of many more.

"The U.S. is still in a relatively good place — I don't want to jinx it," the department official says. "We don't have a large number of victims right now, and we, for the most part, are not seeing significant operational impacts for those who have been victimized. They've been able to manage through it."

The agency and its partners in the global security community are now in a "sort of cat-and-mouse" competition with hackers, as variants of the software that foil previous solutions emerge, the official says.